Hi All, We have integrated MS SQL logs with Splunk. The current default add-on supports logs via DB Connect but we do not have database connectivity directly. Rather, all the logs are written in Security logs for Windows Event viewer with most of the details in the Message field. Currently all the fields are not being parsed . How can we make it CIM compliant ?  ... View more

Hi I have a 2 site architecture Site 1 - 2 indexers, 2 ES SH Site 2 - 2 indexers, 1ES SH All of them are in clusters.I wish to have 1 copy per site . What should be my RF and SF?  Can you also suggest the min rf and sf configuration.    ... View more

Hi  I have a following architecture and i am trying to setup my Search head cluster . i have multiple questions ,  if i want to have 1 copy of search artifact in each SH what should be my replication factor here in this command  splunk init shcluster-config -auth <username>:<password> -mgmt_uri <URI>:<management_port> -replication_port <replication_port> -replication_factor <n> -conf_deploy_fetch_url <URL>:<management_port> -secret <security_key> -shcluster_label <label> Second question is how will i set up the captain in this cluster  If i run this command on the SH1 will it become captain  opt/splunk/bin/splunk bootstrap shcluster-captain -servers_list "https://splunk-essh01.abc.local:8089,https://splunk-essh02.abc.local:8089,https://splunk-essh03.abc.local:8089" Last question is if i want to connect this SHC to the indexer cluster , will this command work  splunk edit cluster-config -mode searchhead -site site0 -manager_uri https:// LB-IP-OR-DNS-HOSTNAME:8089   -replication_port 9887 -secret "<redacted>"     ... View more

Hi all, I am trying to integrate MS SQL audit log data with a UF instead of DB Connect. What is the best and recommended way to do it that maps all fields? At the moment it is integrated with the UF and using the "Splunk Add-on for Microsoft SQL Server" Also i am seeing one additional dummy event(no values nothing blank event) with every event that is coming My Inputs.conf    [WinEventLog://Security] start_from = oldest current_only = 0 checkpointInterval = 5 whitelist1 = 33205 index = test_mssql renderXml=false sourcetype = mssql:aud disabled = 0     ... View more

Hi Team Can some one help me ,what i should do to migrate items from on-premise SH to Splunk cloud ? Like Lookup,ES use cases ,alerts created in search and reporting , reports and dashboards ? Any step based resolution will be helpful . Can i do it alone or would it require on-demand support from splunk to do these migration ? ... View more

Hi  Can some one help me with the following questions 1) My current setup is in on-premise and i plan to migrate to splunk cloud ,what things should i know ? I dont want historical data to be transfered to cloud .? 2) Suppose i have 1000 UF and 5 syslog servers , how should i be sending this data ?  3) Should i install the  Splunk credential package on all of these 1000 + 5 machines or should i deploy a HF before then send it to splunk cloud ? 4) Is there any encryption and compression of data that i have to do before sending to cloud or is it taken care by splunk ? ... View more

Observed a peculiar case where UF in a syslog is not reading the complete log file . If for example there exists a pan log for 4th Nov with logs available for every hour in that log file . UF seems to read only the first 4 hours and then stops ingesting to the cloud .The next day when new file log ie 5th Nov file is created it again starts to read that log file for couple of hours and then stops . Points to be noted : There is only one log file (2022-11-05.log)  which keeps updating as logs get pushed to the syslog from the network host . Size of the log for one day is around 500 GB plus No CRC is used in the input setting . Can you let me know what is causing the UF to stop reading the complete log file ... View more

Hi  Please let me know if i upgrade from current version of  TA for Microsoft Windows Defender from 1.0.0 to 1.0.6 , will it cause any issues . Do i have to save the secret key and all .    Regards    Rahul    ... View more

Hi All , Can some one help me understand why  similar query gives me 2 different results for a intrusion detection datamodel . Only difference bw 2 is the order . Query 1: | tstats summariesonly=true values(IDS_Attacks.dest) as dest values(IDS_Attacks.dest_port) as port from datamodel=Intrusion_Detection where IDS_Attacks.ICS_Asset=Yes IDS_Attacks.url=* by IDS_Attacks.src,IDS_Attacks.transport,IDS_Attacks.url | eval source="wildfire" | rename IDS_Attacks.url as wildfireurl | rex field=wildfireurl "(?P<domain>[^\/]*)" | lookup rf_url_risklist.csv Name as wildfireurl OUTPUT EvidenceDetails Risk | lookup idefense_http_intel ip as wildfireurl OUTPUT description weight | lookup rf_domain_risklist.csv Name as domain OUTPUT RiskString | search EvidenceDetails =* OR description=* OR RiskString=* | rename "IDS_Attacks.*" as * | append    [| tstats summariesonly=true values(All_Traffic.dest) as dest values(All_Traffic.app) as app values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes All_Traffic.action=allowed app!="insufficient-data" app!="incomplete"        [| inputlookup ids_malicious_ip_tracker        | fields src        | rename src AS All_Traffic.src ] by All_Traffic.src,All_Traffic.transport,All_Traffic.dest_port    | lookup n3-a_cidr_wlist.csv cidr_range as All_Traffic.src OUTPUT cidr_range as src_match    | where src_match="NONE" OR isnull(src_match)    | fields - src_match    | lookup rf_ip_risklist.csv Name as All_Traffic.src OUTPUT EvidenceDetails Risk    | lookup idefense_ip_intel ip as All_Traffic.src OUTPUT description weight    | lookup ips_tor.csv ip as All_Traffic.src output app as app    | search EvidenceDetails =* OR description=* OR app="tor"    | where Risk > 69 OR weight > 40 OR app="tor"    | eval rf_evidence_details_0 = mvappend(EvidenceDetails, description)    | fields - description, EvidenceDetails    | eval Attack_Count = mvcount(rf_evidence_details_0)    | search NOT All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12    | rename "All_Traffic.*" as *] | append    [| tstats summariesonly=true count values(All_Traffic.action) values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes by All_Traffic.src, All_Traffic.transport, All_Traffic.dest_port, All_Traffic.dest    | lookup rf_ip_risklist.csv Name as All_Traffic.dest OUTPUT EvidenceDetails Risk    | lookup idefense_ip_intel ip as All_Traffic.dest OUTPUT description weight    | search EvidenceDetails =* OR description=*    | where Risk > 69 OR weight > 40    | eval rf_evidence_details_0 = mvappend(EvidenceDetails, description)    | fields - description, EvidenceDetails    | eval Attack_Count = mvcount(rf_evidence_details_0)    | search count > 100    | search All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12    | rename "All_Traffic.*" as *] Second Query : | tstats summariesonly=true count values(All_Traffic.action) values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes by All_Traffic.src, All_Traffic.transport, All_Traffic.dest_port, All_Traffic.dest | lookup rf_ip_risklist.csv Name as All_Traffic.dest OUTPUT EvidenceDetails Risk | lookup idefense_ip_intel ip as All_Traffic.dest OUTPUT description weight | search EvidenceDetails =* OR description=* | where Risk > 69 OR weight > 40 | eval rf_evidence_details_0 = mvappend(EvidenceDetails, description) | fields - description, EvidenceDetails | eval Attack_Count = mvcount(rf_evidence_details_0) | search count > 100 | search All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12 | rename "All_Traffic.*" as * | append    [| tstats summariesonly=true values(All_Traffic.dest) as dest values(All_Traffic.app) as app values(All_Traffic.http_category) as http_category from datamodel=Network_Traffic where All_Traffic.ICS_Asset=Yes All_Traffic.action=allowed app!="insufficient-data" app!="incomplete"        [| inputlookup ids_malicious_ip_tracker        | fields src        | rename src AS All_Traffic.src ] by All_Traffic.src,All_Traffic.transport,All_Traffic.dest_port    | lookup n3-a_cidr_wlist.csv cidr_range as All_Traffic.src OUTPUT cidr_range as src_match    | where src_match="NONE" OR isnull(src_match)    | fields - src_match    | lookup rf_ip_risklist.csv Name as All_Traffic.src OUTPUT EvidenceDetails Risk    | lookup idefense_ip_intel ip as All_Traffic.src OUTPUT description weight    | lookup ips_tor.csv ip as All_Traffic.src output app as app    | search EvidenceDetails =* OR description=* OR app="tor"    | where Risk > 69 OR weight > 40 OR app="tor"    | eval rf_evidence_details_0 = mvappend(EvidenceDetails, description)    | fields - description, EvidenceDetails    | eval Attack_Count = mvcount(rf_evidence_details_0)    | search NOT All_Traffic.src=10.0.0.0/8 OR All_Traffic.src=192.168.0.0/16 OR All_Traffic.src=172.16.0.0/12    | rename "All_Traffic.*" as *] | append    [| tstats summariesonly=true values(IDS_Attacks.dest) as dest values(IDS_Attacks.dest_port) as port from datamodel=Intrusion_Detection where IDS_Attacks.ICS_Asset=Yes IDS_Attacks.url=* by IDS_Attacks.src,IDS_Attacks.transport,IDS_Attacks.url    | eval source="wildfire"    | rename IDS_Attacks.url as wildfireurl    | rex field=wildfireurl "(?P<domain>[^\/]*)"    | lookup rf_url_risklist.csv Name as wildfireurl OUTPUT EvidenceDetails Risk    | lookup idefense_http_intel ip as wildfireurl OUTPUT description weight    | lookup rf_domain_risklist.csv Name as domain OUTPUT RiskString    | search EvidenceDetails =* OR description=* OR RiskString=*    | rename "IDS_Attacks.*" as *] (edited)   above query has 3 parts suspicious inbound ,suspicious outbound and suspicious url . While executing the first query i am getting 1 result and while executing 2 query i am getting 6 results for the same time frame ... View more

Hi Can some one help me , how we can create the attached dashboard . I do know we have to use the Geostats command ,but how can we utilize it in the use-cases created . How can we get the longitude and latitude values from the use-cases . Can some one help with the query ?   ... View more

Hi All , We have 1 indexer, 1 SH and 1 DS . We are  planning for an OS upgrade (OS RHEL 6 to OL 7)  .All the these devices are on the Cloud . Can someone help me what are the steps to be taken from Splunk perspective during this upgrade . What are the checks to be done and is there any pattern like first indexer , then DS and then SH to be followed . What to do in a fail over . Splunk is not getting upgraded as of now . We are keeping the same splunk version 7.3. I have already read this article   https://community.splunk.com/t5/Installation/What-s-the-order-of-operations-for-upgrading-Splunk-Ent...  but i am not upgrading splunk here .  ... View more